Xembly’s Data Privacy & Security

At Xembly, we take the responsibility of managing your data privacy and security very seriously. We earn our access to manage your calendar and video call data everyday by creating and enforcing rigorous internal policies designed to keep your data safe.

Our goal is to be very clear about how and when we collect, store, transmit and use your data. We are guided by a few key user-first governance principles:

  • Your data belongs to you – and you should have control over who has access to it.
  • Your data should be protected – no matter how often, or in what ways you utilize Xembly.
  • Your data should be minimal – only providing the bare minimum needed for Xembly to support you.
  • You should have the ability to delete your data – no questions asked.

Frequently Asked Questions

Is Xembly SOC2 compliant?

Xembly is SOC 2 Type I certified and has successfully passed a third-party audit from StrikeGraph. We’re fully committed to ensuring strong internal control practices and security frameworks are in place to secure our customer’s data and privacy. If you would like to request a copy of our SOC 2 report, please email us at legal@xembly.com

What permissions does Xembly ask for?

Xembly will ask to integrate with your Google Calendar for purposes of finding and making times for meetings and focused work as well as your chosen videocall platform(s): Zoom or Google Meet. Xembly works through Google and Zoom’s first party authentication, so your access is secured through those entities.

Is my data shared with 3rd parties?

We have and will never share your Xembly data with a third party for profit or comarketing purposes. We do not intend in any way to build a business off of monetizing our user data.

In the course of running a technology business, we do use well-regarded tools like AWS to support our infrastructure as subprocessors.

What information does Xembly store and how is that information protected?

Xembly operates on a principle of least privilege. It collects basic user information (name, email address), limited Calendar Data (meeting title, attendees, frequency, start/end times, video conferencing provider). Xembly does NOT read or store meeting description, attachment information, or have access to Google Drive. Optionally – at the user’s request – Xembly captures meeting recordings to automatically generate meeting notes. 

Xembly maintains a strict data management policy as part of its SOC2 compliance. Selected callouts from its data management policy:

  • Data is encrypted in transit with TLS 1.3; and at rest with AES-256 encryption.
  • Encryption keys are rotated on a periodic basis.
  • Data is logically separated by customer.
  • All data must be classified according to our data classification policy.
  • Any PII must be kept in its secured corporate network; only VPN accessible.Removable media is restricted.
What is Xembly’s data retention period?
xembly settings

Xembly stores calendar data (meeting title, attendees, frequency, start/end times, video conferencing provider) for the life of the user. For meeting notes (“Summaries”), storage is variable and based on customer preference.

For example, the Company can set a default preference to delete all meeting artifacts (video and transcript) for its employees at a specified period, including immediately after processing OR 2 days after, 1 week after, 30 days, etc. Individual users also have this same capability in their Settings controls (image to the right). If the user deletes their Xembly account, all data is hard deleted.

How will Xembly take meeting notes? And how are users notified of Xembly's use during a meeting (is there a warning or consent mechanism)?

Xembly’s approach related to meeting notes – a feature it calls “Summary” –  focuses on Security, Control and Compliance.

  • Importantly, Summary is an Opt-In feature (the user default is Off).  
  • The Xembly meeting Organizer enables Summary by either manually switching it to “ON” or asking Xena (conversational assistant) to turn it ON / take notes for that event or series. 


All attendees are notified that the meeting is being recorded in two separate moments:

  • Pre-meeting: A note on their meeting invite before the meeting starts letting them know that recording is on (see image and disclaimer to the right). 
  • At meeting initiation: Each individual who joins the call hears and sees an announcement that the call is being recorded (this process happens via Zoom’s controls). If attendees are not comfortable, the meeting Organizer has full control to stop or pause the recording directly from the Zoom control panel.

Once the meeting is complete, Xembly processes the meeting through its AI pipeline and delivers it to the meeting Organizer. Only the meeting Organizer has control:

  • Ability to edit / customize the notes.
  • Ability to share the notes (or not). 

If the Organizer shares notes, attendees are limited to read-only access.

If the Organizer shares notes, and meeting artifacts have not been deleted based on customer settings, all streaming video URLs for meeting recordings are signed with a limited Time-To-Live (TTL) of the duration of the meeting.  This prevents any risk in case the URLs are inadvertently shared with people who should not have access. 

If the Organizer shares notes, then Xembly helps to hold the team accountable to their work commitments:

  • Xembly automatically posts Action Items to the appropriate owner’s (Xembly) Task Manager for completion.
  • When posted to the owner’s Task Manager, Xembly then schedules block time to complete the action item. If the work is not completed during the assigned block time, Xembly will continue to move the designated block time until the item is completed (the user has marked it done). This approach has helped improve team performance and accountability to goals.
  • Action item status is up-to-date for everyone to see.

If I have additional questions, who should I contact?

Please reach out to legal@xembly.com